Hi josch, On 2024-04-21 at 01:26, Johannes Schauer Marin Rodrigues wrote: > Quoting Milan Kupcevic (2024-04-21 01:03:12) > > On 4/20/24 15:59, Johannes Schauer Marin Rodrigues wrote: > > > How about using the upstream git instead of the release tarball as the > > > base for > > > the packaging? > > I would rather stick with the official release tarballs as they get signed > > with the upstream developer's key. > > I think we just recently had a long discussion in Debian about using the > upstream git as source for the packaging instead of the release tarball in the > light of how the recent xz-utils attack was performed. Maybe you can convince > upstream to sign their git commits and/or tags.
It's actually more than just commit/tag signing. Upstream releases[1] "RECOMMENDED" release and "BETA" versions, doesn't distinguish[2] between them in Git tags[3], and tells users to get release versions as tar archives[4] and only use the Git repository for developing less[5]. [1]: https://www.greenwoodsoftware.com/less/download.html [2]: https://github.com/gwsw/less/issues/441 [3]: https://github.com/gwsw/less/tags [4]: https://github.com/gwsw/less/issues/245#issuecomment-1012323104 [5]: https://github.com/gwsw/less/blob/5e425e2/README#L20 -- Patrick "P. J." McDermott: http://www.pehjota.net/ Lead Developer, ProteanOS: http://www.proteanos.com/ Founder and CEO, Libiquity: http://www.libiquity.com/
pgpSQxAXR5WeB.pgp
Description: OpenPGP digital signature
